If nothing could ever go wrong, we wouldn't need to worry about protecting
those network assets. But, of course, things do go wrong, and many of those
things are related to security threats. In Chapter 2, "Information Assets,"
we said that you need to be able to identify just what your information assets
are, what you need to protect them from, and what tools you might have available
to do that joband do it while keeping the network usable by the ordinary
user. This is where we look at what you're protecting those information
assets from. Cisco breaks out threats by their origin and by their type.

Origin

Threats can originate from inside or outside your network. That is actually
not always an easy line to draw, though, as we'll see.

Internal Threats

When the SAFE Blueprint discusses the origin of threats (internal versus
external), it repeats the perception that most threats actually originate inside
the network instead of penetrating your perimeter from the outside. Although
that has historically been true, it could be changing. Every year, the FBI and
the Computer Security Institute conduct and then publish a survey on the threats
large organizations actually faced in the previous year. The percentage of
incidents that originate outside the network is now essentially equal to the
number originating inside the network. You might have heard about this or seen
it written in industry publications. For the purposes of taking the test,
however, you should be prepared to say that the majority of threats originate
inside the network rather than coming from external sources.

What or who are these internal threats? People, of course, but it helps to
narrow the most likely candidates rather than simply assuming that all people
inside your network are threats. Of course, in some very security-conscious
networks, everyone must be considered a potential suspect, but even there, some
people are more likely candidates than others. Who among these people on the
inside are likely to cause problems?

Current employees with dubious intentions

Current employees with unauthorized activities

Employees who mismanage their environment

Contractors who fit these same descriptions

Bad Intentions

Why would employees or contractors want to hurt the company, especially when
jobs are tight? There are as many reasons as there are people: Someone might
have a grudge for a promotion that he felt was deserved but went to someone
else; another person might think that by creating a problem, she'll be a
hero for finding and fixing it. At least in this category, you can confidently
say that the person intended to do the enterprise harm (even if the goal might
have been to fix it later). Likewise, someone who has done something wrong
(embezzling or stealing from inventory, for instance) might want to limit the
visibility of that wrong by removing evidence of the actions. Some employees, of
course, will never be satisfied; no matter what management does to accommodate
them, they will remain disgruntled.

Unauthorized Activities

So many stories have arisen of employees or departed contractors hosting
illicit Web sites, or even web-based businesses, on a company's network
that it's easy to become blasé about the entire idea. But it remains
true: People do use corporate resources to host pornographic Web sites and to
host music and movie files for peer-to-peer swapping. People do use their
corporate email accounts to buy or sell items on EBay or other auction sites. As
this was written, yet another article appeared on IDG.net reporting that more
than three quarters of business networks checked had unauthorized peer-to-peer
networking software installed, and no company with more than 500 PCs had none.
Unauthorized uses also include hosting other businesses, some of which might be
legal under authorized circumstances, or hosting personal sites.

Outside audits regularly uncover evidence of these activities, and people are
even fired for having done them. Yet the next audit might find that another
entrepreneur has taken the departed first business operator's place, with a
new and improved set of activities. The problem here is less the intent to do
harm (because harm raises interest in what's going on and draws unwelcome
management attention) than it is that these activities introduce code that IT
does not know is operating. The code might have vulnerabilities that can be
exploited if the customersor even browsersinclude hackers.

One other related factor to remember is this: Allowing unauthorized hosting
makes a business look incompetent in managing its own affairs, which is very bad
for its image in front of the public. If that unauthorized activity includes
illegal business, such as pornography or peer-to-peer file sharing, the business
can be held legally liable for allowing it to happen. That could prove very
expensive.

Mismanagers

These are not the pointy-haired bosses of Dilbert fame; they are otherwise
well-intentioned persons (employees or contractors) who make changes to their
operating environment. Those changes can introduce holes in an otherwise
well-guarded network. An example is an employee who likes to get a little more
work done after hours from home and installs a package such as pcAnywhere for
operating his desktop remotely. pcAnywhere is a commercial product, not malware,
but if it is operating and IT doesn't know about it, it can create an
opening in perimeter security that a hacker can exploit. Many employees,
including less-experienced system administrators who should know better, or
contractors use Instant Messaging or Internet Relay Chat without authorization.
This, too, creates openings for malware. Many worms are now entering networks
via chat because antivirus packages do not scan every object that enters; they
scan only those that enter via email. Full- system virus scans will eventually
catch the malware (if definition files are kept current), but cleanup is much
harder than prevention. Again, there is probably no intent to cause harm, but an
exposure is created by the addition of unmaintained or unauthorized software.
That doesn't begin to address those who add a modem to dial in....

External Threats

If internal threats are people inside the network, external threats must be
people outside the network, right? Remember, however, that when you break things
down simplistically like this, much depends on where you draw the network
boundary. For instance, if you draw the boundary at your edge, remote users are
external. Even if they tunnel in, you might not necessarily extend the network
boundary to their devices, especially if they are connecting via the Internet.
You might want to keep thinking of them as external.

In this case, though, the external threat is not directly the person, who
might or might not be the kind of person we would say fits the internal threat
category (if accessing the network from inside). Instead, the external threat is
the fact that the device used (whether a laptop for a mobile worker or a desktop
for a teleworker) is significantly exposed to the outside world, especially the
Internet. Unlike a host inside your perimeter (in your campus), this host might
spend much of its time on the Internet without necessarily going through your
security precautions. (There's a way around that, which we'll discuss
when we cover some design alternatives in Chapters 11, "The Medium Network
Implementation," and 12, "The Remote-User Design," but there are
always disadvantages as well as advantages associated with choosing the
alternatives.)

The courseware for Cisco's SAFE Implementation course also categorizes
external threats as structured or unstructured. "Structure," in this
context, refers to the degree of organization and planning, or the amount of
method applied in the attack, as opposed to haphazard efforts that might seem
almost random to an observer. Note that both structured and unstructured threats
can be malicious in intent or can be the result of human clumsiness or error.

More conventional external threats are people outside your organization.
Cisco categorizes them as follows:

Thrill-seekers

Competitors

Enemies

Spies

Thieves

Hostile former employees

Others

The thrill-seekers are often simply engaging in a social activityseeing
what they can find and/or trying to impress their friends; they generally pose
an unstructuredbut still dangerousthreat. Thrill-seekers might or
might not have substantial skill; they are often (but not always) script
kiddies: relatively unskilled users running scripts developed by skilled
users that the script kiddies often do not understand. The clumsiness and
ignorance of these thrill-seekers can cause significant damage if they manage to
penetrate a network. Some of the more well-known scripted tools are L0phtcrack
for password cracking and BackOrifice for exploiting vulnerabilities in
Microsoft's Office suite of products.

Competitors, of course, exist everywhere in economic life, but business
competitors can have a significant incentive to snoop in your network: It can
save them millions of dollars if they can learn the lessons of your development
without spending the money it cost you to learn them. Most businesses maintain a
group to analyze their competition, using whatever information becomes
available.

Spies are a threat to businesses as well as governments. Because of the high
cost of developing new products and the intensity of competition, which leads to
lower prices, corporate espionage is a problem to protect against. If you
don't think corporate espionage really happens, consider first that Cisco
thinks that it is serious (which makes it serious for the exam, of course).
Second, take some time to read a few of the reference books listed at the end of
the chapter. The stories in them have been sanitized to avoid lawsuits, but they
are otherwise real.

NOTE

So what exactly is the difference between competitors and spies? Cisco
doesn't really say, but this might help: Competitors are in the same line
of business (pharmaceuticals, mufflers, batteries, and so on), while spies are
in the information business. Spies are usually third parties that obtain
information for others; competitors are trying to obtain it for themselves.
Either way, the hackers here generally pose a structured threat due to their
greater skill and more organized effort.

Thieves are another group that has plagued business since there was such a
thing as business. And the crime must pay (or, at least, be expected to pay)
often enough to make it worthwhile to keep trying theft. What can be stolen via
a network? Information such as credit card numbers or other data for
perpetrating identity theft is always valuable. Surprisingly, information about
the network can be valuable: If you can learn enough about the network devices,
you might be able to control them and the traffic they carry. In short, if it
can be used to create value for someone, it can be expected to be stolen at some
point.

Hostile former employees (or contractors), such as current employees with a
grudge, seek to damage the network or information assets for revenge. Sometimes
they want to "get even" for whatever affronted them by stealing and
selling information. What makes them different from outsiders is the likelihood
that they have at least some inside information about the networkthey
start with an advantage over other outside threats.

Finally, Cisco provides the catchall category of "other." As one
policeman said, whenever you think you've seen it all, you wake up one
morning and realize that you haven't seen it all. A time will come when you
will find a network threat that doesn't exactly fit any of the specific
categories; that will be your example of the "other" group.